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Abstract 

Achieving secure communications in networks has been one of the most important 
problems in information technology. Dolev, Dwork, Waarts, and Yung have studied 
secure message transmission in one-way or two-way channels. They only consider the 
case when all channels are two-way or all channels are one-way. Goldreich, Goldwasser, 
and Linial, Franklin and Yung, Franklin and Wright, and Wang and Desmedt have 
studied secure communication and secure computation in multi-recipient (multicast) 
models. In a "multicast channel" (such as Ethernet), one processor can send the same 
message — simultaneously and privately — to a fixed subset of processors. In this paper, 
we shall study necessary and sufficient conditions for achieving secure communications 
against active adversaries in mixed one-way and two-way channels. We also discuss 
multicast channels and neighbor network channels. 

Keywords: network security, privacy, reliability, network connectivity 



1 Introduction 



If there is a private and authenticated channel between two parties, then secure communica- 
tion between them is guaranteed. However, in most cases, many parties are only indirectly 
connected, as elements of an incomplete network of private and authenticated channels. In 
other words they need to use intermediate or internal nodes. Achieving participants cooper- 
ation in the presence of faults is a major problem in distributed networks. Original work on 
secure distributed computation assumed a complete graph for secure and reliable commu- 
nication. Dolev, Dwork, Waarts, and Yung were able to reduce the size of the network 
graph by providing protocols that achieve private and reliable communication without the 
need for the parties to start with secret keys. The interplay of network connectivity and 
secure communication has been studied extensively (see, e.g., fjL |2|, [|, |^, For example, 
Dolev Q and Dolev et al. Q showed that, in the case of k Byzantine faults, reliable com- 
munication is achievable only if the system's network is 2fc + 1 connected. They also showed 

*An extended abstract of this paper has appeared in fla] 
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that if all the paths are one way, then 3k + 1 connectivity is necessary and sufficient for 
reliable and private communications. However they did not prove any results for the general 
case when there are certain number of directed paths in one direction and another number 
of directed paths in the other direction. While undirected graphs correspond naturally to 
the case of pairwise two-way channels, directed graphs do not correspond to the case of 
all-one- way or all-two- way channels considered in |j| , but to the mixed case where there are 
some paths in one direction and some paths in the other direction. In this paper, we will 
initiate the study in this direction by showing what can be done with a general directed 
graph. Note that this scenario is important in practice, in particular, when the network is 
not symmetric. For example, a channel from A to B is cheap and a channel from B to A is 
expensive but not impossible. Another example is that A has access to more resources than 
B does. 

Goldreich, Goldwasser, and Linial jlO|, Franklin and Yung Franklin and Wright |Q, 
and Wang and Desmedt [ fl7| have studied secure communication and secure computation 
in multi-recipient (multicast) models. In a "multicast channel" (such as Ethernet), one 
participant can send the same message — simultaneously and privately — to a fixed subset 
of participants. Franklin and Yung Q have given a necessary and sufficient condition for 
individuals to exchange private messages in multicast models in the presence of passive ad- 
versaries (passive gossipers). For the case of active Byzantine adversaries, many results have 
been presented by Franklin and Wright [Q , and, Wang and Desmedt |17j . Note that Goldre- 
ich, Goldwasser, and Linial JlC) ] have also studied fault-tolerant computation in the public 
multicast model (which can be thought of as the largest possible multirecipient channels) in 
the presence of active Byzantine adversaries. Specifically, Goldreich, et al. |L0| have made 
an investigation of general fault-tolerant distributed computation in the full-information 
model. In the full information model no restrictions are made on the computational power 
of the faulty parties or the information available to them. (Namely, the faulty players may 
be infinitely powerful and there are no private channels connecting pairs of honest players). 
In particular, they present efficient two-party protocols for fault-tolerant computation of any 
bivariate function. 

There are many examples of multicast channels (see, e.g. 0), such as an Ethernet bus or 
a token ring. Another example is a shared cryptographic key. By publishing an encrypted 
message, a participant initiates a multicast to the subset of participants that is able to 
decrypt it. 

We present our model in Section |2[ In Sections || and Q we study secure message 
transmission over directed graphs. Section ^ is devoted to reliable message transmission 
over hypergraphs, and Section ^ is devoted to secure message transmission over neighbor 
networks. 

2 Model 

We will abstract away the concrete network structures and consider directed graphs. A 
directed graph is a graph G(V, E) where all edges have directions. For a directed graph 
G(V,E) and two nodes A, B G V, throughout this paper, n denotes the number of vertex 
disjoint paths between the two nodes and k denotes the number of faults under the control of 
the adversary. We write |5| to denote the number of elements in the set S. We write x Er S 
to indicate that x is chosen with respect to the uniform distribution on S. Let F be a finite 
field, and let a, 6, c, M G F. We define auth(M; a, b) := aM + b (following @, § H H) and 
auth(M; a, b, c) := aM 2 + bM + c (following fTijl ). Note that each authentication key key = 
(a, b) can be used to authenticate one message M without revealing any information about 
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any component of the authentication key and that each authentication key key — (a, b, c) 
can be used to authenticate two messages Mi and M 2 without revealing any information 
about any component of the authentication key. We will also use a function (...) which maps 
a variable size (we assume that this variable size is bounded by a pre-given bound) ordered 
subset of F to an image element in a field extension F* of F, and from any image element 
we can uniquely and efficiently recover the ordered subset. Let k and n be two integers 
such that 0<fc<n<3fc + l. A (k + l)-out-of-n secret sharing scheme is a probabilistic 
function S: F — > F™ with the property that for any M € F and S(M) = (vi, . . . ,v n ), no 
information of M can be inferred from any k entries of (vi, . . . , v n ), and M can be recovered 
from any k + 1 entries of (vi, . . . ,v n ). The set of all possible (v±, . . . , v n ) is called a code 
and its elements codewords. We say that a (k + l)-out~of-ra secret sharing scheme can detect 
k' errors if given any codeword , v n ) and any tuple (ui, . . . ,u n ) over F such that 

< \{i : Ui ^ Vi,l < i < n}\ < k' one can detect that {ui, . . . ,u n ) is not a codeword. 
If the code is Maximal Distance Separable, then the maximum value of errors that can be 
detected is n — k — 1 We say that the (k + l)-out-of-n secret sharing scheme can 

correct k' errors if from any S(M) = (vi, . . . , v n ) and any tuple (ui, . . . ,u n ) over F with 
\{i : Ui ^ Vi,l < i < n}\ < k' one can recover the secret m. If the code is Maximal 
Distance Separable, then the maximum value of errors that allows the recovery of the vector 
(vi, . . . , v n ) is (n - k - l)/2 @. A (k + l)-out-of-n Maximal Distance Separable (MDS) 
secret sharing scheme is a (fc + l)-out-of-n secret sharing scheme with the property that for 
any k' < (n — k — 1)/2, one can correct k' errors and simultaneously detect n — k — k' — \ errors 
(as follows easily by generalizing |l2|, p. 10]). Maximal Distance Separable (MDS) secret 
sharing schemes can be constructed from any MDS codes, for example, from Reed-Solomon 
code 

In a message transmission protocol, the sender A starts with a message M A drawn from 
a message space M. with respect to a certain probability distribution. At the end of the 
protocol, the receiver B outputs a message M B . We consider a synchronous system in 
which messages are sent via multicast in rounds. During each round of the protocol, each 
node receives any messages that were multicast for it at the end of the previous round, flips 
coins and perform local computations, and then possibly multicasts a message. We will also 
assume that the message space M. is a subset of a finite field F. 

We consider two kinds of adversaries. A passive adversary (or gossiper adversary) is an 
adversary who can only observe the traffic through k internal nodes. An active adversary (or 
Byzantine adversary) is an adversary with unlimited computational power who can control 
k internal nodes. That is, an active adversary will not only listen to the traffics through the 
controlled nodes, but also control the message sent by those controlled nodes. Both kinds 
of adversaries are assumed to know the complete protocol specification, message space, and 
the complete structure of the graph. In this paper, we will not consider a dynamic adversary 
who could change the nodes it controls from round to round, instead we will only consider 
static adversaries. That is, at the start of the protocol, the adversary chooses the k faulty 
nodes. An alternative interpretation is that k nodes are static collaborating adversaries. 

For any execution of the protocol, let adv be the adversary's view of the entire protocol. 
We write adv(M, r) to denote the adversary's view when M A = M and when the sequence 
of coin flips used by the adversary is r. 

Definition 2.1 (see Franklin and Wright Qj) 

1. Let 8 < i. A message transmission protocol is S -reliable if, with probability at least 
1 — 5, B terminates with M B = M A . The probability is over the choices of M A and 
the coin flips of all nodes. 
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2. A message transmission protocol is reliable if it is -reliable. 

3. A message transmission protocol is e-private if, for every two messages Mo, Mi and 
every r, \^ > *\a>dv(Mo,r) = c] — Pr[adv(Mi, r) = c]\ < 2s. The probabilities are taken 
over the coin flips of the honest parties, and the sum is over all possible values of the 
adversary's view. 

4- A message transmission protocol is perfectly private if it is O-private. 

5. A message transmission protocol is (e, <5)-secure if it is e-private and 5-reliable. 

6. An (s, 5)-secure message transmission protocol is efficient if its round complexity and 
bit complexity are polynomial in the size of the network, log - (if e > ) and log i (if 
6>0). 

For two nodes A and B in a directed graph such that there are 2k + 1 node disjoint paths 
from A to B, there is a straightforward reliable message transmission from A to B against 
a fc-active adversary: A sends the message m to B via all the 2k + 1 paths, and B recovers 
the message m by a majority vote. 



3 (0, £)-Secure message transmission in directed graphs 

Our discussion in this section will be concentrated on directed graphs. Dolev, Dwork, 
Waarts, and Yung || addressed the problem of secure message transmissions in a point-to- 
point network. In particular, they showed that if all channels from A to B are one-way, then 
(3fc + l)-conncctivity is necessary and sufficient for (0,0)-secure message transmissions from 
A to B against a fc-active adversary. They also showed that if all channels between A and B 
are two-way, then (2k + l)-connectivity is necessary and sufficient for (0,0)-secure message 
transmissions between A and B against a fc-active adversary. In this section we assume that 
there are only 2k + 1 — u directed node disjoint paths from A to B, where 1 < u < k. We 
show that u directed node disjoint paths from B to A are necessary and sufficient to achieve 
(0, <5)-secure message transmissions from A to B against a fc-active adversary. 

Franklin and Wright showed that even if all channels between A and B are two way, 
2fc + 1 channels between A and B are still necessary for (1 — <5)-reliable (assuming that 

<5 < i fl — IFf)) messa S e transmission from A to B against a fc-active adversary. 

Theorem 3.1 (Frandlin and Wright jfy) Let G(V,E) be a directed graph, A,BeV, and 
there are only 2k two-way node disjoint paths between A and B in G. Then 5-reliable message 
transmission from A to B against a k-active adversary is impossible for 8 < | ^1 — jpj^j ■ 

In the following, we first show that if there is no directed path from B to A, then 2k + 1 
directed paths from A to B is necessary and sufficient for (0, 5)-secure message transmission 
from A to B. 

Theorem 3.2 Let G(V,E) be a directed graph, A,B S V, and < 5 < \. Lf there is 
no directed paths from B to A, then the necessary and sufficient condition for (0,6) -secure 
message transmission from A to B against a k-active adversary is that there are 2k + 1 
directed node disjoint paths from A to B. 



Proof. The necessity is proved in Theorem 3.1. Let pi, ■ ■ ■ ,P2k+i be the 2fc + 1 directed 



node disjoint paths from A to B. Let M A £ F be the secret that A wants to send to B. A 
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constructs (k + l)-out-of-(2fc+ 1) secret shares (s A , . . . , s A k+l ) of M A . The protocol proceeds 
from round 1 through round 2k + 1. In each round 1 < i < 2k + 1, we have the following 
steps: 

Step 1 A chooses {(af d ,bf tj ) e R F 2 : 1 < j < 2k + 1}. 
Step 2 A sends (sf, auth(sf ; af lt bf x ), . . . , auth(sf ; 

a ^2k+i ' ^2k+i )) to .B via pathpj, and 
sends {afj, bfj) to B via path p,- for each 1 < j < 2k + 1. 

Step 3 £? receives (sf , cf x , . . . , cf 2k+1 ) via path pi, and receives (afj,b B j) via path pj for 
each 1 < j < 2k + 1. 

Step 4 5 computes t = \{j : cf } = auth(sf ; afj, bfj)}\. If t > k + 1, then 5 decides that 
sf is a valid share. Otherwise B discards sf . 

It is easy to check that after the round 2k + 1, with high probability, B will get at least 
k + 1 valid shares of s" 4 . Thus, with high probability, B will recover the secret M B — M A . 
It is straightforward that the protocol achieves perfect privacy. Thus the above protocol 
is a (0, (5)-secure message transmission protocol from A to B against a fc-active adversary. 
Q.E.D. ' □ 



By Theorem 3.1, the necessary condition for (0, <5)-secure message transmission from A to 
B against a fc-active adversary is that there are at least k + 1 node disjoint paths from A 
to B and there are at least 2k + 1 node disjoint paths in total from A to B and from B to 
A. In the following, we show that this condition is also sufficient. We first show that the 
condition is sufficient for k = 1. 

Theorem 3.3 Let G{V, E) be a directed graph, A, B £ V . If there are two directed node 
disjoint paths po and p\ from A to B , and one directed path q ( which is node disjoint from pq 
and pi) from B to A, then for any < S < i there is a (0, S)-secure message transmission 
protocol from A to B against a 1- active adversary. 

Proof. In the following protocol, A (0, (5)-securely transmits a message M A S F to B. 

Step 1 A chooses s A <E R F, (a A ,b A ), (a A ,b A ) £ R F 2 , and let s A = M A - s A . For each 
i € {0, 1}, A sends (sf , (af, bf ), auth(sf ; af_ if b A _A) to B via path p, ; . 

Step 2 Assumes that B receives (sf, (af ,bf),cf) via path pi. B checks whether cf = 
a,uth(sf;af_ i ,bf_ i ) for i = 0,1. If both equations hold, then B knows that with 
high probability the adversary was either passive or not on the paths from A 
to B. B can recover the secret message, sends "OK" to A via the path q, and 
terminates the protocol. Otherwise, one of equations does not hold and B knows 
that the adversary was on one of the paths from A to B. In this case, B chooses 
(a B ,b B ) £ R F 2 , and sends ((a B , b B ), (sf , (a B , b B ), c B ), (sf , (af , bf ), cf )) to A via 
the path q. 

Step 3 If A receives "OK" , then A terminates the protocol. Otherwise, from the informa- 
tion A received via path q, A decides which path from A to B is corrupted and 
recovers B's authentication key (a A ,b A ). A sends (M A , auth(M j4 ; a A , b A )) to B 
via the uncorrupted path from A to B. 

Step 4 B recovers the message and checks that the authenticator is correct. 



Similarly as in the proof of Theorem 3.2, it can be shown that the above protocol is (0, in- 



secure against a 1-active adversary. Q.E.D. □ 
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Theorem 3.4 Let G(V,E) be a directed graph, A,B € V, and k > u > 1. If there are 
2k + 1 — u directed node disjoint paths p\, . . ., P2k+i-u from A to B, and u directed node 
disjoint paths qi, . . ., q u (qi, ■ ■ ., q u ore node disjoint fvom p± } . . p2k-\-i— u 

) from B to A, 

then for any < 5 < \, there is an efficient (0, S) -secure message transmission protocol from 
A to B against a k-active adversary. 

Before we give an efficient (0, <5)-secure message transmission protocol from A to B. We 
first demonstrate the underlying idea by giving a non-efficient (exponential in k) (0, <5)-secure 
message transmission protocol from A to B against a fc-active adversary. Let M A G F be 
the secret that A wants to send to B, and V\ , . . . , Vt be an enumeration of size k + 1 subsets 
of {pi, . . . ,p2k+i-ui 9i, ■ ■ ■ , Qu}- The protocol proceeds from round 1 through t. In each 
round f < m < t, we have the following steps: 

Step 1 For each p., G V m , A chooses {af m , b£ m ) £r F 2 and sends (a^ m ,bf m ) to B via Pi. 

Step 2 For each pi G P m , B receives (af m ,bf m ) from A via pi. 

Step 3 For each qi G V m , B chooses (cf m , d? m ) G^ F 2 and sends {cf m ,df m ) to A via qi. 
Step 4 For each qi G V mi A receives (cf m , df m ) from B via qi. 

Step 5 A computes C A = Y. Pl ev m a tm + J2 qi ev m c tm D A = J2 P ^v m b tm+T, qi ev m d t^ 
and sends (M A + C A , auth(M A + C A ; C A , D A j) to B via all paths in Pl in V m . 

Step 6 For each pi G P m , B receives (ef m , ff m ) from A via pj. 

Step 7 If (ef m , /^ m ) = {e? m , f? m ) for all Pl:Pj G then B goes to Stepg Otherwise, 
-B goes to round m + 1 . 

Step 8 B computes C B = E PlGPm a fm+E gi eP m c i,m> 1)3 = E P<ePm 6?m+E w g7» m 

Step 9 If /f m = auth(/f m ;C s ,L> B ), then B computes the secret M B = f? m - C B and 
terminates the protocol. Otherwise, B goes to round m + 1. 

Since there is at least one P m such that all paths in V m are not corrupted, B receives the 
correct secret by the end of the protocol with high probability. It is also straightforward to 
check that the above protocol has perfect secrecy. 

Proof. (Proof of Theorem [O]) Let M A G F be the secret that A wants to send to B. A 
constructs (k + l)-out-of-(2fe + 1 — u) secret shares (s A , . . . , s A k+1 _ u ) of M A . The protocol 
proceeds from round I through 2k + 2 + u. For each round 1 < i < 2k + 1 — u, we have the 
following steps: 

Step 1 A chooses {(af^, b A j) e R F 2 , : I < j < 2k + 1 - u}. 

Step 2 A sends {sf , auth(sf ; a A 1} b A x ), . . ., auth(sf ; a A 2k+1 _ u , b A 2k+1 _ u )} to B via path 
Pi, and sends (afj, b A j) to B via path pj for each 1 < j < 2k + I — u. 

Step 3 B receives {sf , d^, . . . , df 2fe+1 „ u } via path p i7 and (a B j,b B j) via path for each 
\ < j <2k + l- u. 

Step 4 £ computes t = \{j : df tj = auth(sf ; afj, bf j)}\. If t > k + 1, then £? decides that 
sf is a valid share. Otherwise B decides that sf is an invalid share. 
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At the end of round 2k + 1 — u, if B has received k + 1 valid shares, then B recovers the 
secret M B from these valid shares and terminates the protocol. Otherwise, B proceeds to 
round 2k + 2 — u. In round 2k + 2 — u, we have the following steps: 

Step 1 A chooses {(af, bf, cf ) e R F 3 : 1 < i < 2k + 1 - u}, and sends (af, bf, cf) to B 
via path pi for each i < 2k + 1 — u. 

Step 2 For each l<z<2/c + l— it, B receives (of, bf , cf) on path p, from ^4 (if no value 
is received on path pi, B sets it to a default value). 

Step 3 For each 1 < i < 2k+l-u, B chooses rf e R F and computes fi B = {(rf , auth(rf ; of , 6f , cf )) : 
1 < i < 2k + 1 -u}. 

In each round 2fc + 3 — u < i < 2k + 2, we have the following steps: 

Step 1 B chooses (df ,ef ) G K F 2 and {(«?., G H F 2 : 1 < j < «}. 

Step 2 S sends (df , ef ), /3 s , and {auth((df , ef ); u/* io?.) : 1 < j < u} to A via path 
and (vfj,wfj) to A via path qj for each 1 < j < u. 

Step 3 A receives (or substitutes default values) (df, ef), (if, and {cefj : 1 < j < u} from 
B via path Oi, and (u^-, io£.) from i? via path g, for each 1 < j < u. 

According to the values that A has received, A divides the paths set {gi, . . . , q u } into subsets 
Qi, ■ ■ ■ ,Qt such that for any I, m, n with 1 < I < t, 1 < m, n < u, and q m , q n £ Qi, we have 

1 R A = Q A - 

2. af n = auth((df ,ef );v B in ,wf in ); 
3- a£, m = auth((df ,ef);v B m ,wf m ). 
For each Qi , let g m S Qi and = { (rf t ,-ffi) : 1 < i < 2fc + 1 — u} . A computes the number 
t, = |{t : 7u = auth(r$; af , bf, cf), 1 < i < 2k + 1 - u}\ + \Q t \ 

If ti < k, then A decides that Qi is an unacceptable set, otherwise, A decides that Qi is an 
acceptable set. Let Qi — for t < I < u. 

For each round 2k + 3 < I < 2k + 2 + u, we have the following steps: 

Step 1 If Qi = or Qi is an unacceptable set, then go to round l + l. 
Step 2 A computes Vi = {pt : jf t = auth(rf,; af , bf , cf ), 1 < i < 2k + 1 - u}, Cf = 
E^ev, < + E 9l£Qi df, and Df = ^ eVl bf + E 9l£Qi ef. 

Step 3 A sends ((Qi,Vi, M A + C^),a,uth((Qi,Vi, M A + Cf-); C/ 4 , Df)) to £? via all paths 
p 4 G Pi- 

Step 4 _B receives (af , /3fJ from path for 1 < « < 2fc + 1 — m. 

Step 5 For each 1 < i < 2k+l-u, B computes af = ( Qf , Vf x , (3^ ) , C B = Y, Pj ev t , a f + 

Step 6 For each 1 < i < 2fc + 1 - u, B checks whether /3f = auth(af ; Cf ; , Df x ). If the 
equation holds, then B computes the secret M B = /3f t — C B V 
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If B has not got the secret at the end of round 2k + 1 — u, then there exists an uncorrupted 
path qj from B to A and a paths set Qi such that qj € Q; and the information that A 
receives from paths in Qi are reliable. Thus, at the end of round 2k + 2 + u, B will output 
a secret M B . It is easy to check that, with high probability, this secret is the same as M A . 

It is straightforward to show that the protocol achieves perfect privacy. Thus it is a 
(0, 5)-secure message transmission transmission protocol from A to B against a fc-active 
adversary. Q.E.D. □ 



4 (0, 0)-Secure message transmission in directed graphs 

In the previous section, we addressed probabilistic reliable message transmission in directed 
graphs. In this section, we consider perfectly reliable message transmission in directed 
graphs. We will show that if there are u directed node disjoint paths from B to A, then a 
necessary and sufficient condition for (0, 0)-secure message transmission from A to B against 
a fc-active adversary is that there are max{3fc + 1 — 2u, 2k + 1} directed node disjoint paths 
from A to B. 

Theorem 4.1 Let G(V, E) be a directed graph, A,BgV. Assume that there are u directed 
node disjoint paths from B to A. Then a necessary condition for (0,0)-secure message 
transmission from A to B against a k-active adversary is that there are max{3fc + 1 — 
2u, 2k + 1} directed node disjoint paths from A to B. 

Proof. If u = 0, then by the results in we need 3fc + 1 directed node disjoint paths 
from A to B for (0, 0)-secure message transmission against a fc-active adversary. If u > |~|] , 
then again by the results in we need 2k + 1 directed node disjoint paths from A to B for 
0-reliable (that is, perfectly reliable) message transmission from A to B against a fc-active 
adversary. From now on, we assume that < u < |~|~|. 

For a contradiction, we assume that there are only 3fc — 2u directed node disjoint paths 
from A to B, denoted as p\, . . . ,pzk-iu- Let q\,...,q u be the directed node disjoint paths 
from B to A. 

Let II be a (0, 0)-secure message transmission protocol from A to B. In the following, 
we will construct a fc-active adversary to defeat this protocol. The transcripts distribution 
view^ of A is drawn from a probability distribution that depends on the message M A to 
be transmitted by A, the coin flips R A of A, the coin flips R B of B, the coin flips R A of 
the adversary (without loss of generality, we assume that the value R A will determine the 
choice of faulty paths controlled by the adversary), and the coin flips R r of all other honest 
nodes. Without loss of generality, we can assume that the protocol proceeds in steps, where 
A is silent during even steps and B is silent during odd steps (see ^|). 

The strategy of the adversary is as follows. First it uses R A to choose a value b. lib = 0, 
then it uses R A again to choose fc directed paths p ai , . . . ,p ak from Ato B and controls the 
first node on each of these fc paths. If b — 1, then it uses R A again to choose fc — u directed 
paths p 0l , . . . ,Pa k ^ u from A to B and controls the first node on each of these fc — u paths 
and the first node on each of the u paths from B to A. It also uses R A to choose a message 
M A € F according to the same probability distribution from which the actual message M A 
was drawn. In the following we describe the protocol the adversary will follow. 

• Case 6 = 0. The fc paths p ai , . . . ,p Qfe behaves as a passive adversary. That is, it 
proceeds according to the protocol II. 
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• Case 6=1. The fc — u paths p ai , . . . ,p ak _ n ignores what A sends in each step of the 
protocol and simulates what A would send to B when A sending M A to B. The u 
paths from B ignores what B sends in each step of the protocol and simulates what 
B would send to A when 6 = 0. 

In the following, we assume that the tuple (M A , R A , R B , R T , R A ) is fixed, 6 = 0, the protocol 
halts in I steps, and the view of A is view A (M A , R A ,R B ,R T , R A ). Let a A 3 be the values 
that A sends on path pi in step j and af = (a A v . . . , afA, We can view af as shares of 
the message M A . Similarly, let afj be the values that B receives on path pi in step j and 
«f = (oft, •••,<;)• 

First, it is straightforward to show that for any fc paths p ai , . . . ,p ak from A to B, there 
is an R A such that 6 = 0, the adversary controls the paths p ai , . . . ,p ak , and 

view A (M A ,R A ,R B ,R T ,R A ) = vtew A (M A , R A , R B , R T , R A ) (1) 

Due to the fact that II is a perfectly private message transmission protocol, from any 
k shares from (af, a A , . . . , a A k _ 2u ) one cannot recover the secret message M A . Thus 
(af, af, . . . , af k _ 2u ) is at least a (k + l)-out-of-(3/c — 2u) secret sharing scheme. 

Secondly, for any k — u paths p ai , . . . , p afc _„ from A to B, there is an R A such that 6=1, 
M A ^ M A , the adversary controls the paths p ai , . . . ,p ak u , q\, . . . , q u , and 

view A (M A , R A , R B , i? r , R A ) = mew A {M A , R A , R B ,R r , R A ) (2) 

Due to the fact that II is a perfectly reliable message transmission protocol, any k — u errors 
in the shares (af , a B , . . . , c^ fe _ 2u ) can be corrected by B to recover the secret message M A . 

In summary, (a A ,a A , . . . 1 S A k _ 2u ) is at least a (k + l)-out-of-(3fc — 2u) secret sharing 
scheme that can correct k — u errors. By the results in ]l2|] , we know that the maximum 
number of errors that a (fc + l)-out-of-(3fc — 2u) secret sharing scheme could correct is 

(3fc - 2u) - k - 1 
2 

This is a contradiction, which concludes the proof. Q.E.D. □ 

For the sufficient condition, we first show the simple case for u = 1. 

Theorem 4.2 Let G(V,E) be a directed graph, A,BeV, and k > 2. If there are 3fc — 1 
directed node disjoint paths pi, ■ ■ ■ ,P3k-i from A to B and one directed path q from B to 
A (q is node disjoint from pi, . . . ,psk-i) then there is a (0,0)-secure message transmission 
protocol from A to B against a fc- active adversary. 

Proof. In the following protocol 7r, A (0, 0)-securely transmits M A F to B: 
Step 1 Both A and B sets 1=1. 

Step 2 A constructs (fc + l)-out-of-(3fc - 1) MDS secret shares {s A j, —jS^f,^ 7 ) of M A . 
For each l<i<3fc — 1, A sends sfj to B via the path p\. 

Step 3 For each i < 3fc— 1, B receives sfj on path pi. By correcting at most fc — 1 errors, 
B recovers a value Mf from these shares. B sends sfj to A via the path q. 

Step 4 A receives sfj from q. A distinguishes the following two cases: 



2k -2i 



= fc — u — 1. 
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1. s f I = sf I . A reliably sends "path p/ maybe OK" , sets / = 7+1. If I > 3k-l 
then goes to Step ||, otherwise, goes to Step EL 

2. sf j ^ sfj. A reliably sends "path pj or q is faulty". A constructs A;-out-of- 
(3fc - 2) MDS secret shares {rfj : i ^ 1, 1 < i < 3k - 1} of M A . For each 
i < 3k — 1 such that i ^ I, A sends rfj to B via the path p^. A terminates 
the protocol. 

Step 5 B distinguishes the following two cases: 

1. B reliably receives "path pj maybe OK" . B sets 1 = 1+1. If / > 3fc — 1 then 
goes to Step ^, otherwise, goes to Step ||. 

2. B reliably receives "path pj or q is faulty". In this case, B also receives rfj 
from path pi for each i ^ I. By correcting at most k — 1 errors, -B recovers 
M B from these shares and terminates the protocol. 

Step 6 B checks whether Mf = for all 1 < i, j < 3k — 1. If all these values are equal, 
then B sets M B = M B , sends "stop" to A via q, and terminates the protocol. 
Otherwise, B sends the shares (sf 3fe _ 1 , sf k _ : 3k _ 1 ) to A via q. 

Step 7 A distinguishes the following two cases: 

1. A receives (sf^-ii •••> *3k-i ak-l) on ^ ne P a th q. A computes V — {i : 
^3k-i 7^ s i 4 3fc-i}' reliably sends V to -B, and terminates the protocol. 

2. ^4 receives anything else. A terminates the protocol. 

Step 8 B reliable receives V from A, recovers M B from the shares {sf 3k _ 1 : i ^ P}, and 
terminates the protocol. 

Since there could be k faulty paths from A to B, and a (k + l)-out-of-(3fc — 1) MDS secret 
sharing scheme can correct at most k — 1 errors and simultaneously detect k — 1 errors. B 
may recover an incorrect message Mf in Step [| B therefore needs to verify whether it has 
recovered the correct message in the following steps. Note that if q is faulty, then B must 
have recovered the correct message in Step || for each /. In Step ||, B also sends sfj to A 
via the path q. This does not violate the perfect privacy property since if there are k — 1 
faulty paths from A to B, then the adversary gets at most k shares including this share, 
and if there are k faulty paths from A to B, then the adversary does not control the path q 
and does not get this share. 

In Step ||, if sfj = sf T , then it could be the case that sfj = sfj or it could be the case 
that the path q is faulty. In any case, we have to continue the protocol further. However, if 
sfj sfj, then A is convinced that either pj or q is faulty. Since a fc-out-of-(3A; — 2) MDS 
secret sharing scheme could correct k — 1 errors and detect k — 1 errors simultaneously. B 
will recover the correct message in Step §. 

Now assume that B does not recover the correct message at the end of round I = 3k — 1. 
We can distinguish the following two cases: 

• B recovers the same message Mf in all 3k — 1 rounds. If this happens, B is convinced 
that this uniquely recovered message is the correct message. Note that this follows from 
the following two arguments: If the path q is faulty, then obviously B has recovered 
the same correct message in each round. If the path q is non-faulty and we assume 
that the path p t (1 < t < 3k — 1) is faulty, then in order for the adversary to avoid 
being caught by A in round t, p t must behave nicely in round t, that is, sf t = sf t 
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(otherwise A has identified that q or p t is faulty in round t) . Thus there are at most 
k — 1 errors in the shares that B received in round t and B recovers the correct message 
in round t. 

• B recovers different messages in these 3fc — 1 rounds. This happens only if q is honest. 
Thus, B could send the shares it receives in round 3k — 1 to A via path q and A can tell 
B which shares are incorrect. Thus B could recover the correct message from these 
non- faulty shares (there are at least 2k — 1 non-faulty shares). 

The above arguments show that the protocol n is (0, 0)-secure against a fc-active adversary. 
Q.E.D. □ 



Theorem 4.3 Let G(V,E) be a directed graph, A,B 6 V, and k > 2. If there are n — 
max{3fc + 1 — 2u, 2k + 1} directed node disjoint paths pi, ■ ■ ■ ,p n from A to B and u directed 
path gi, . . . , q u from B to A (qi, . . . , q u are node disjoint from pi, . ■ ■ ,p n ) then there is a 
(0,0) -secure message transmission protocol from A to B against a k-active adversary. 



Proof. For u = 1 or k = 2, the result is proved in Theorem |4.2| . We prove the theorem 
by induction. Assume that u > 1, k > 2, and the theorem holds for u — 1 and k — 1. In the 
following, we show that the Theorem holds for u and k by induction. 

Let H — {hj : hj — (p Ii: . . . ,pi u )} be the set of all ordered u-subsets of {pi, . . . ,p n }. 
Then \H\ = ' ^ n ^ ne following protocol n, A (0, 0)-securely transmits M A F to B: 

Step 1 Both A and B set I = 1. 

Step 2 A constructs (k + l)-out-of-n MDS secret shares (s^j, ...,s^ 7 ) of M A . For each 
i < n, A sends sfj to B via the path pi. 

Step 3 For each i < n, B receives (or sets default) sfj on path pi. By correcting at most 

k — u errors, B recovers a value Mf from these shares. For each i < u, B sends 
sf rI to A via the path qi. Note that we assume hi — (pi 1 , . . . ,pi u ) here. 

Step 4 For each i < u, A receives (or sets default) sf. T from qi. A distinguishes the 
following two cases: 

1. sf iI = sf iI for all i < u. A reliably sends "paths in hi maybe OK", sets 
1 = 1 + 1. If I > \H\ then A goes to Step ^, otherwise, goes to Step ||. 

2. sf. i ^ sf. j for some Iq < u. A reliably sends "path pi iQ or qi is faulty". 
A goes to the (0, 0)-secure message transmission protocol against a (k — In- 
active adversary on the paths {pi : i ^ U {qi : i iq} to transmit M A 
to B (here we use induction). 

Step 5 B distinguishes the following two cases: 

1. B reliably receives "paths in hi maybe OK". B sets 1 = 1+1. If/> \H\ 
then goes to Step |6[ otherwise, goes to Step ||. 

2. B reliably receives "path pi i or qi is faulty". In this case, B goes to the 
(0, 0)-secure message transmission protocol against a (k— l)-active adversary 
on the paths {pi : i ^ Ii } U {qi : i ^ io} and receives the message M B . 
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Step 6 B computes whether M B — M B for all i,j < \H\. If all these values are equal, 

then B sets M B = Mf, sends "stop" to A via all paths qi, and terminates the 
protocol. Otherwise, B goes to Step ||. 

Step 7 If A receives "stop" on all paths qi,...,q u , then A terminates the protocol, 
otherwise, A goes to Step |[ 

Step 8 A chooses R A F, constructs (k + l)-out-of-n MDS secret shares (sf, . . . ,sf) 
of i?^, and sends sf to -B via path pi for each i < n. 

Step 9 For each i < n, B receives (or sets default) sf on path pi. B distinguishes the 
following two cases: 

1. There are errors in the shares (sf , . . . , sf). In this case, for each j < u, B 
sends (sf , . . . , sf) to A via the path qj. Note that a (k + l)-out-of-n MDS 
secret sharing scheme could be used to detect n — k — 1 > k errors. 

2. There is no error in the shares (sf , . . . , sf). B recovers the value i?f from 
these shares and for each j < u, B sends "OK" to A via path qj. 

Step 10 For each j < u, A receives (or sets default) (sfj, ■ ■ • , s^ 3 ) from the path qj. A 
distinguishes the following two cases: 

1. sf • 7^ sf for some io < n and jo < u. A reliably sends "path p.i or qj 
is faulty" to B. A goes to the (0,0)-secure message transmission protocol 
against a (k — l)-active adversary on the paths {pi : i ^ io} U {qj : j ^ jo} 
to transmit M A to B (here we use induction again). 

2. All other cases. A reliably transmits "continue the protocol" to B and goes 
to Step [l2[ 

Step 11 B distinguishes the following two cases: 

1. B reliably receives "continue the protocol". B goes to Step |l2[ 

2. B reliably receives "path pi or qj is faulty". In this case, B goes to the 
(0, 0)-secure message transmission protocol against a {k— l)-active adversary 
on the paths {pi ■ i ^ io} U [qj : j ^ jo} and receives the message M B . 

Step 12 A computes R A = M — constructs (k + l)-out-of-n MDS secret shares 
(sf, . . . , s^) of R%, and sends sf to B via path pi for each i < n. 

Step 13 For each i < n, B receives (or sets default) sf on path pi. B distinguishes the 
following two cases: 

1. There are errors in the shares (sf , . . . , sf). In this case, for each j < u, B 
sends (sf , . . . , sf ) to A via the path qj. 

2. There is no error in the shares (sf , . . . , sf). B recovers the value R B from 
these shares, computes the secret M B = i?f + R B , and for each j < u, B 
sends "OK" to A via path qj . B terminates the protocol. 

Step 14 For each j < u, A receives (or sets default) (sfj, ■ ■ ■ ,sfj) from the path qj. A 
distinguishes the following two cases: 

1. sf j Q ^ s A for some io < n and jo < u. A reliably sends "path pi or qj 
is faulty" to B. A goes to the (0,0)-secure message transmission protocol 
against a (k — l)-active adversary on the paths {pi : i ^ io} U {qj : j ^ jo} 
to transmit M A to B. 
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2. All other cases. A reliably transmits "the protocol is complete" to B and 
terminates the protocol. 

Step 15 B distinguishes the following two cases: 

1. B reliably receives "the protocol is complete". B terminates the protocol. 

2. B reliably receives "path p io or qj is faulty". In this case, B goes to the 
(0, 0)-secure message transmission protocol against a (k— l)-active adversary 
on the paths {pi : i ^ io} U {qj : j ^ jo} and receives the message M B . 

Since there could be k faulty paths from A to B, and a (k + l)-out-of-n MDS secret sharing 
scheme in Steps || and || can correct at most k — u errors and simultaneously detect k — u 
errors. B may recover an incorrect message Mf in Step ^. B therefore needs to verify 
whether it has recovered the correct message in the following steps. Note that if all the 
paths from B to A are faulty, then B must have recovered the correct message in Step || for 
each I < \7i\. In Step ||, B also sends sf j to A via the path q^. This will not violate the 
perfect privacy property since if there are t faulty paths from B to A, then the adversary 
gets k — t shares from the A to B paths and t shares from the B to A paths. That is, the 
adversary gets at most k shares. 

In Step |], ii sf. j — sf. j for all i < u, then for each i < u, it could be the case that 
sf. j = sf j or it could be the case that the path qi is faulty. In any case, we have to continue 
the protocol further. However, if sf j ^ sf l for some io < u, then A is convinced that 
either pi io or g, is faulty. Thus if we delete the two paths pi iQ and qi , we have at most 
k — 1 unknown faulty paths, n — 1 paths from A to B, and u — 1 paths from B to A. Since 

max{3(fc- 1) + 1 - 2(u - l),2(fc - 1) + 1} = max{3fc - 2u - 4, 2k - 1} 

< max{3/c — 2u, 2k} 
= n-l, 

there is (by induction) a (0, 0)-secure message transmission protocol from A to B against a 
(k — l)-active adversary on the paths {pi : i ^ Ii } U {<& : i ^ io}, B recovers the correct 
message M B in Step ||. 

Assume that B does not recover the correct message at the beginning of Step ||. If B 
recovers the same value Mf in all the \H\ rounds between Step |^ and Step pi, then B is 
convinced that this uniquely recovered value is the correct message. Note that this follows 
from the following arguments: 

• All paths qi, . . . ,q u from B to A are faulty. In this case B obviously has recovered the 
correct message in each round. 

• There is non- faulty path from B to A. In this case, let t > 1, q^, . . . , q\ t be a list of 
all non- faulty paths from B to A, pj t , . . . ,pj t be faulty and hi = (pi 1 , . . . , pi u ) with 
Ii 1 = j%, . . . , U t = it- If {sf j, ...,s B j) is the shares that B receives in Step ^ of round 
/, then sf-t i = s f it ■ ■ ■■> s f t i = s f t i (otherwise A identifies that some qi or pj is faulty 
in round /). That is, there are at most k — u errors in the shares (sf j, s B r), and 
B recovers the correct secret message in round /. 

Now assume that B does not recover the correct message at the beginning of Step ^ and 
B recovers different values in these \H\ rounds between Step || and Step ||. If this happens, 
then there must be non-faulty paths from B to A. In this case, both A and B continues 
the protocol from Step ||. During Step || and Step [ll| A tries to send Rf and Rf to B 
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using the (k + l)-out-of-n MDS secret sharing scheme. Since there are at most k faulty 
paths, and a (k + l)-out-of-n MDS secret sharing scheme could be used to correct error 
and simultaneously detect at least k errors, any error in these shares could be detected 
by B in Steps ^| and [l^. Since there arc non-faulty paths from B to A, any errors in 
these shares will be reported back A via the non-faulty B to A paths. Thus A initiates a 
(0,0)-secure message transmission protocol against a (k — l)-active adversary on the paths 
{pi : i 7^ io} U {qj : j ^ jo} m Step [h] or Step |lj and B will receive the secret. If any error 
occurs in these cases, B reports either the shares of R A or the shares of R A (but not both) 
to A via the B to A paths. Thus we have achieved the perfect privacy here. On the other 
hand, if there is no error in these shares of R A and R A , then B recovers the correct secret 
M B = R B + R B . 

We therefore proved that the protocol tt is (0,0)-secure against a k- active adversary. 
Q.E.D. □ 



In Theorem 4.3, we have the restriction that k > 2. In the following we show a sufficient 



condition which is applicable to k = 1. 

Theorem 4.4 Let G(V, E) be a directed graph, A,B € V . If there are 3k directed node 
disjoint paths pi, ■ ■ ■ ,P3k from A to B and one directed path q from B to A (q is node 
disjoint from pi,. ■ . ,P3k) then there is a (0, 0) -secure message transmission protocol from A 
to B against a k-active adversary. 

Proof. In the following protocol n, A (0, 0)-securely transmits M A F to B. 

Step 1 A constructs (k + l)-out-of-3fc MDS secret shares v A = (sf, sf k ) of M A . For 
each 1 < i < 3k, A sends Si to B via the path pi. 

Step 2 Let v B = (sf , ...,s B k ) be the shares B receives. If B finds that there are at most 
k — 1 errors, B recovers M B from the shares, sends "stop" to A via the path q, 
and terminates the protocol. Otherwise there are k errors. In this case B sends 
v B back to A via the path q (note that q is an honest path in this case). 

Step 3 A distinguishes the following two cases: 

1. A receives v A = (s A , ...,s A k ) from the path q. A reliably sends V = {i : s A ^ 
sf} to B. 

2. A received "stop" or anything else via q. A terminates the protocol. 

Step 4 B reliably receives V from A. B recovers M B from the shares {sf : i ^ V} and 
terminates the protocol (note that \{s B : i ^ V}\ — 2k). 

Note that if B sends v B to A in Step || then k paths from A to B are corrupted and the 
path q is honest. Thus the adversary will not learn v B . If the adversary controls the path q, 
then it may change the message "stop" to something else. In this case, A will not be able to 
identify the corrupted paths from A to B. However, since B has already recovered the key, 
B will just ignore the next received message. It is straightforward to show that the protocol 
is (0, 0)-secure. Q.E.D. □ 
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5 Efficient (0, 0)-secure message transmission in directed 
graphs 

In the previous section, we proved a necessary and sufficient condition for (0, 0)-secure mes- 
sage transmission from A to B. Our protocols in these proofs are not efficient (exponential 
in k). In this section, we show that if there are totally 3 A; + 1 paths between A and J5, then 
there are efficient (linear in u) (0, 0)-secure message transmission protocols from A to B. 

Theorem 5.1 Let G(V, E) be a directed graph, A,BeV and k > u. If there are n — 3k + 
1 — u directed node disjoint paths pi, . . . , p n from A to B and u directed node disjoint paths 
qi, . . . , q u from B to A (q 1 , . . . , q u are node disjoint from pi , . . . , p n ) then there is an efficient 
(0,0) -secure message transmission protocol from A to B against a k-active adversary. 

Proof. I f we replace the steps between Step [l| and Step ^ of the protocol tt in the proof 



of Theorem 4.3 with the following steps: 



Step 1 A constructs (fc+l)-out-of-n MDS secret shares (sf, s A ) of M A . For each i < n, 
A sends sf to B via the path pi. 

Step 2 For each i < n, B receives (or sets default) sf on path pi. If there are at most 
k — u errors in the shares (sf , ...,s„), then B recovers the secret message M B 
from these shares by correcting the errors, sends "stop" to A via all paths qi, and 
terminates the protocol. Otherwise, B sends "continue the protocol" to A via all 
paths qt and goes to Step || of the protocol n. 

Step 3 If A receives "stop" on all paths q\ , . . . , q u , then A terminates the protocol, oth- 
erwise, A goes to Step || of the protocol tt. 

Note that a (k + l)-out-of-n MDS secret sharing scheme could be used to detect k errors 
and simultaneously correct k — u errors. Thus if all the paths q\, . . . ,q u are controlled by 
the adversary, then B recovers the secret message M B in Step ||. If at least one path from 
B to A is not controlled by the adversary, then the protocol tt in the proof of Theorem 



4.3 starting from Step || will let B to recover the secret message M B . Here we should 
also note that the induction initiated in Step [l(] or Step [l4| of the protocol it works since 
3fc + l — u — l=3fe — u> 3(fc — 1) + 1 — (u — 1). It is straightforward that the protocol will 
terminates in at most Hit steps. Q.E.D. □ 



In the previous theorems, including Theorem 5.1, we have the restriction that the directed 



paths from B to A are all node disjoint from the directed paths from A to B. In the following 
theorem we partially remove this restriction. 

Theorem 5.2 Let G(V, E) be a directed graph, A, B € V . Assume that there are n = 
3fc + l — u > 2k + I (which implies k > u) directed node disjoint paths pi, . . . ,p n from A to 
B and u node disjoint directed paths q±, . . . , q u from B to A. If 3fc + 1 — 2u paths among 
these 3fc + 1 — u paths from A to B are node disjoint from the u paths from B to A, then there 
is an efficient (0,0)-secure message transmission protocol from A to B against a k-active 
adversary. 



Proof. We note that the proof of Theorem 5.1 could not be used here since if we remove 



(in the induction step) two paths pi and qj such that one of them is corrupted, we are not 
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guaranteed that the fc-active adversary becomes a (k — l)-active adversary (qj may share a 
node with some other directed paths from A to B and that node could be corrupted). 

First we describe the proof informally. The protocol is divided into two phases. In phase 
one of the protocol, A tries to transmit the secret message to B assuming at least one of 
the directed paths from B to A is not corrupted. This is done by running u concurrent 
sub-protocols in phase one, in each sub-protocol B uses one of the directed paths from B to 
A to send some feedback information to A. In the second phase of the protocol, A transmits 
shares of the secret message through the A to B paths excluding these paths which have 
intersection with B to A paths. B will use the information received in the second phase 
only if B detects that all directed paths from B to A are corrupted in phase one. 

In phase one, A and B execute the following protocol on the path set {pi : 1 < i < n}U{q} 
for each directed path q from B to A. First A chooses R a F and sends shares of Rq 
to B via the paths pi, . . . ,p n using a (k + l)-out-of-n MDS secret sharing scheme. If B 
can correct the errors in the received shares (that is, there were at most k — u errors), B 
recovers i?o- Otherwise B needs help from A and B sends the received shares back to A via 
the B to A path q. The problems are that: B may receive help even if B has never asked 
for. However B can detect this. Therefore B always works with A on such a protocol and 
recovers the correct Rq- Then A sends R\ = M A — R using a (k + l)-out-of-n MDS secret 
sharing scheme. If B can correct the errors in the received shares of Ri, B has found the 
secret and can terminate the protocol. If B cannot correct these errors, B needs to continue 
the protocol. In this situation, B distinguishes the following two cases: 

1. B has not asked for help in the transmission of Rq. B can ask for help now and B will 
then recover the secret M A . 

2. B has asked for help in the transmission of Rq. In this case B cannot ask for help 
(otherwise the adversary may learn both the values of Rq and R\ and thus may recover 
the secret). The sub- protocol needs to be restarted (that is, A constructs different Rq 
and Ri for M A and sends them to B again). Each time when A and B restart this 
sub-protocol, A sends the shares of Rq and R\ only via these "non-corrupted" paths 
from A to B. The "non-corrupted" paths are computed from the feedbacks that A 
has received from the path q. If q is not corrupted, then the computation is reliable. 
However, if q is corrupted, then the computation is unreliable. If there is at least one 
non-corrupted path q io from B to A, then B recovers the secret from the sub-protocol 
running on the path set {pi, . . . ,p n } U {qi }- Otherwise B cannot recover the secret 
in phase one and we will go to phase two. 

If B asks for help in the transmission of Ro, then both A and B "identify" the corrupted paths 
from A and B according to the information that B sends to A via the path q. If k 1 dishonest 
paths from A to B have been (correctly or incorrectly) identified at the restart of the sub- 
protocol, A uses a (k + l)-out-of-(3/c + 1 — u — k') MDS secret sharing scheme. This MDS 
secret sharing scheme will only be used for error detection (or message recovery in the case 
that no error occurs), thus it can be used to detect 3fc + l — u — k 1 — fc — 1 = 2fc — u — k' > k — k' 
errors. Due to the fact that this MDS secret sharing scheme cannot detect k errors we need 
to organize ourselves that B will never use incorrectly identified paths from A to B since 
otherwise B could compute the incorrect "secret" . This is easy to be addressed by having 
B detect whether the path q from B to A is dishonest or not. This is done by having A 
reliably send to B what A received via the path q. Since a (k + l)-out-of-(3fc + 1 — u) MDS 
secret sharing scheme can detect k errors and simultaneously correct k — u errors, both A 
and B identify at least k! > k — u + 1 dishonest paths from A to B in the first run of the 
sub-protocol. During each following run of the sub-protocol, B will either recover the secret 
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message (when no error occurs) or detect at least one corrupted path from A to B (A could 
also detect the corrupted path from A to B according to the information A received on the 
path q). Thus the sub- protocol will be restarted at most u times. 

In phase two of the protocol, A constructs (k + l)-out-of-(3fc + 1 — 2u) MDS shares 
(si, . . . , S3k+i~2u) of the secret M A and sends these shares to B via the 3k + 1 — 2u paths 
which arc node disjoint from the paths from the u paths from B to A. Note that if B has 
determined that all these u paths from B to A have been corrupted in phase one, then B 
recovers the secret M A from the received shares (sf , . . . ,s^ k+1 _ 2u ) in phase two since a 
(k + l)-out-of-(3/c + 1 — 2u) MDS secret sharing scheme can be used to detect and correct 
k — u errors simultaneously. Note that if at least one path from B to A is honest in phase 
one, then B has recovered the secret in phase and can just ignore this last message. 

Now we present the entire protocol formally. 

Step 1 B sets BA_BAD = 0. For each directed path q from B to A, A and B run the 
sub-protocol between Step ^ and Step |ll] (the sup-protocols for the u paths could 
be run parallely). 

Step 2 A sets AB_CHANNEL A = { Pl , . . . ,p„} and j A = 0. B sets AB.CHANNEL B = 
{pi, . . . ,p„} and j B = 0. 

Step 3 Let rij = |AB_CHANNEL A |. A chooses R G.r F, and constructs (k + l)-out- 
of-rij MDS secret shares {sf : p t G AB_CHANNEL A } of R . For each Pi G 
AB_CHANNEL A , A sends sf to B via the path p A . 

Step 4 For each pi G AB_CHANNEL B , B receives sf from A via the path Pi . B distin- 
guishes the following two cases: 

1. B can recover Rq. If j = and there are at most k — u errors, B recovers 
i?o by correcting the errors (note that a (k + l)-out-of-n MDS scheme can 
be used to detect k errors and simultaneously correct k — u errors). If j > 0, 
then B recovers i?o only if there is no error in the received shares. B sends 
"ok" to A via the path q. 

2. B cannot recover R . B sends {sf : Pi G AB .CHANNEL 8 } to A via the 
path q. 

Step 5 A distinguishes the following two cases: 

1. A receives "ok" via the path q. A reliably sends "ok" to B. 

2. A receives {sf : Pi G AB_CHANNEL A } (or sets default values if the re- 
ceived values are not in valid format). A sets BAD A = {p; : sf ^ s A } 
and reliably sends {sf : p l G AB _CH ANNEL A } and BAD A to B. A sets 
AB.CHANNEL A = AB.CHANNEL A \ BAD A , 

Step 6 B distinguishes the following two cases: 

1. B reliably receives "ok" from A. If B sent "ok" to A in the Step ||, then 
goes to Step |[ Otherwise, B sets BA.BAD = BA.BAD U {q} and goes to 
Step [Uj 

2. B reliably receives {sf : p 4 G AB_CHANNEL B } and BAD B from A. If 
sf = sf for all Pl e AB_CHANNEL B , then B sets AB_CHANNEL B = 
AB .CHANNEL 8 \ BAD B , recovers R from {sf : p t G AB_CHANNEL B } , 
and goes to Step @. Otherwise, B sets BA.BAD = BA.BAD U {q} and goes 
to Step |l[ 
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Let rij = | AB_CHANNEL A | . A constructs (k + l)-out-of-n., MDS secret shares 
{sf : pi S AB_CHANNEL A } of i?i = M A - R . For each Pl E AB_CHANNEL A , 
A sends sf to B via the path p^. 

For each pi £ AB_CHANNEL B , B receives sf from A via the path pi . B distin- 
guishes the following two cases: 

1. B can recover R±. B recovers R\ only if there is no error in the received 
shares. B sends "ok" to A via the path q. 

2. B cannot recover R\. For this situation we need to distinguish two cases: 

2. a) B sent "ok" to A in Step [|. That is, B has not asked for help to recover 
R . Then B can ask for help now. B sends {sf : p t e AB _CH ANNEL B } 
to A via the path q. 
2.b) B sent the received shares to A in Step ^. That is, B has asked for help 
to recover Rq. Then B cannot ask for help now. B sends "continue to 
the next round" to A via the path q. 

Step 9 A distinguishes the following three cases: 

1. A receives "ok" via the path q. A reliably sends "ok" to B. 

2. A receives "continue to the next round" via the path q. A sets j A = j + 1, 
reliably sends "continue to the next round" to B, and goes to Step ||. 

3. A receives {sf : pi £ AB_CHANNEL A } (or sets default values if the re- 
ceived values are in invalid format). A sets BAD A = {pi : sf ^ s A }, 
AB.CHANNEL A = AB.CHANNEL A \BAD A , and reliably sends {sf : Pl e 
AB_CHANNEL A } and BAD A to B. 

B distinguishes the following three cases: 

1. B reliably receives "ok" from A. If B sent "ok" to A in the Step ||, then 
B has recovered the secret. B terminates the entire protocol. Otherwise, B 
sets BA.BAD = BA.BAD U {q} and goes to Step |ll|. 

2. B reliably receives "continues to the next round". If B sent "continues to 
the next round" to A in the Step ||, then B sets j B = j B + 1 and goes to 
Step §. Otherwise, B sets BA.BAD = BA.BAD U {q} and goes to Step |l[ 

3. B reliably receives {sf : p t 6 AB_CHANNEL B } and BAD B from A. If 
sf = sf for all Pl 6 AB_CHANNEL B , then B sets AB_CHANNEL B = 
AB _CH ANNEL B \ BAD B , recovers Rx from {sf : p l G AB_CHANNEL B } , 
recovers the secret M B from both Rq and and terminates the entire 
protocol. Otherwise, B sets BA_BAD = BA_BAD U {q} and goes to Step 

B waits until all u sub-protocols in phase one finish. If |BA_BAD| = u then B 
goes to Step [l^. Otherwise, B has recovered the secret message, thus terminates 
the entire protocol. 

Step 12 A constructs (k + l)-out-of-(3/c + 1 — 2u) MDS shares (si, . . . , S3k+i-2u) of the 
secret M A and sends these shares to B via the 3k + 1 — 2u paths which are 
node disjoint from the u B to A paths. Note that if |BA_BAD| = u, then B can 
recover the secret message M B from the received shares (sf , . . . , sf k+1 _ 2u ) since 
a (k + l)-out-of-(3/s + 1 — 2u) MDS secret sharing scheme can be used to detect 
and correct k — u errors simultaneously. 
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It is straightforward to show that at the beginning of each run of the sub-protocol be- 
tween Step I and Step [0], Both A and B have the same sets of AB.CHANNEL, that is, 
AB.CHANNEL A = AB_CHANNEL B at Step |. From the analysis before the above pro- 
tocol, it is straightforward that the above protocol is a (0, 0)-secure message transmission 
protocol against a /c-active adversary. Q.E.D. □ 



6 Secure message transmissions in hypergraphs 

Applications of hypergraphs in secure communications have been studied by Franklin and 
Yung in ||. A hypergraph H is a pair (V, E) where V is the node set and E is the hyperedge 
set. Each hyperedge e £ E is a pair (A, A*) where A £ V and A* is a subset of V. In a 
hypergraph, we assume that any message sent by a node A will be received identically by 
all nodes in A* , whether or not A is faulty, and all parties outside of A* learn nothing about 
the content of the message. 

Let A, B £ V be two nodes of the hypergraph H(V, E). We say that there is a "direct 
link" from node A to node B if there exists a hyperedge (A, A*) such that B £ A* . We say 
that there is an "undirected link" from A to B if there is a directed link from A to B or a 
directed link from B to A. If there is a directed (undirected) link from A.- L to Aj+i for every 
i, < i < k, then we say that there is a "directed path" ("undirected path") from Ao to A&. 
A and i? are "strongly k-connected" ("weakly k- connected'') in the hypergraph H(V, E) if for 
all S C V — {A, _B}, 1 5 1 < fe, there remains a directed (undirected) path from A to B after 
the removal of S and all hyperedges (A, A*) such that 5 n (X* U {X}) / 0. Franklin and 
Yung H showed that reliable and private communication from A to B is possible against 
a k-passive adversary if and only if A and B are strongly 1-connected and weakly (k + 1)- 
connected. It should be noted that B and A are strongly fc-connected does not necessarily 
mean that A and B are strongly fc-conncctcd. 

Following Franklin and Yung g, and, Franklin and Wright 0, we consider multicast 
as our only communication primitive in this section. A message that is multicast by any 
node A in a hypergraph is received by all nodes A* with privacy (that is, nodes not in A* 
learn nothing about what was sent) and authentication (that is, nodes in A* are guaranteed 
to receive the value that was multicast and to know which node multicast it). We assume 
that all nodes in the hypergraph know the complete protocol specification and the complete 
structure of the hypergraph. 

Definition 6.1 Let H(V,E) be a hypergraph, A, B £ V be distinct nodes of H, and k > 0. 
A, B are fc -separable in H if there is a node set W C V with at most k nodes such that any 
directed path from A to B goes through at least one node in W . We say that W separates 
A,B. 

Remark. Note that there is no straightforward relationship between strong connectivity 
and separability in hypergraphs. 

Theorem 6.2 Let H(V,E) be a hypergraph, A, B £ V be distinct nodes of H , and k > 0. 
The nodes A and B are not 2k-separable if and only if there are 2k + 1 directed node disjoint 
paths from A to B in H . 

Proof. This follows directly from the maximum-flow minimum-cut theorem in classical 
graph theory. For details, see, e.g., Q. Q.E.D. □ 
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Theorem 6.3 Let H(V, E) be a hypergraph, A, B € V be distinct nodes of H, and k > 0. 

A necessary and sufficient condition for reliable message transmission from A to B against 
a k-active adversary is that A and B are not Ik-separable in H . 



Proof. First assume that A and B cannot be separated by a 2fc-node set. By Theorem 



6.2, there are 2k + 1 directed node disjoint paths from A to B in H. Thus reliable message 
transmission from A to B is possible. 

Next assume that A and B can be separated by a 2fc-node set W in H . We shall show 
that reliable message transmission is impossible. Suppose that 7r is a message transmission 
protocol from A to B and let W = Wo U W\ be a 2fc-node separation of A and B with 
Wq and W% each having at most k nodes. Let mo be the message that A transmits. The 
adversary will attempt to maintain a simulation of the possible behavior of A by executing 
7r for message mi ^ mo- The strategy of the adversary is to flip a coin and then, depending 
on the outcome, decide which set of Wo or W\ to control. Let Wb be the chosen set. In 
each execution step of the transmission protocol, the adversary causes each node in Wb to 
follow the protocol 7r as if the protocol were transmitting the message m\. This simulation 
succeeds with nonzero probability. Since B does not know whether b = or b = 1, at the 
end of the protocol B cannot decide whether A has transmitted mo or mi if the adversary 
succeeds. Thus with nonzero probability, the reliability is not achieved. Q.E.D. □ 



Theorem 6.3 gives a sufficient and necessary condition for achieving reliable message trans- 
mission against a k- active adversary over hypergraphs. In the following example, we show 
that this condition is not sufficient for achieving privacy against a fc-active adversary (indeed, 
even not for a fc-passive adversary). 

Example 1 Let H(V, Eh) be the hypergraph in Figure |J where V — {A, B, v±, Vi, v, u%, u 2 } 
andE h = {(A,{v 1 ,v 2 }), {v 2 ,{v,B}), (A,{ Ul ,u 2 }), (u ly {v,B}), (u 2 ,{v,B})}. 

Then the nodes A and B are not 2-separable in H . Theorem \6.t\ shows that reliable message 
transmission from A to B is possible against a 1- active adversary. However, the hypergraph 
H is not weakly 2-connected (the removal of the node v and the removal of the corresponding 
hyperedges will disconnect A and B). Thus, the result by Franklin and Yung J^/ shows that 
private message transmission from A to B is not possible against a 1-passive adversary. 

Theorem 6.4 Let 8 > and A and B be two nodes in a hypergraph H(V, E) satisfying the 
following conditions: 

1. A and B are not Ik-separable in H . 

2. B and A are not 2k-separable in H . 

3. A and B are strongly k-connected in H . 

Then there is a (0, S)-secure message transmission protocol from A to B against a k-active 
adversary. 



Proof. Assume that the conditions of the theorem is satisfied. For each fc-node subset 
set S ofV\{A, B}, let ps be a directed path from A to B which witnesses that A and B are 
strongly fc-connected by removing the nodes in S and corresponding hyperedges in H. Let 
S = {S : S C V \ {A, B}, \S\ = k} and V = {ps : S £ S}. Then A transmits the message 
M A to B using the following protocol. 
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Figure 1: The hypergraph H(V,Eh) in Example |l| 

Step 1 For each S £ S, A chooses a random pair (as, bs) £r F 2 , and transmits this pair 
to B via the path p$. 

Step 2 For each S £ S, B receives a pair (a B , bg) from A via the path ps- 

Step 3 For each S £ S, B chooses a random r$ £r F and computes ss — auth(rg; a§, b B ). 

Step 4 £? reliably transmits s = ((rs, ss) ■ S € S) to A. 

Step 5 A reliably receives the value s = ((rs, ss) ■ S £ S) from B. 

Step 6 A computes the key index set -Kmdcx = {is '■ ss — auth(rs; a,g, bg)} and the shared 
secret K A = Ei sG K ittdex a S- 

Step 7 A reliably transmits (i^index, M A + K A ) to B, where M A is the secret message. 

Step 8 B reliably receives the value (i^index, c) from A. B computes the shared secret 
K B = J2i s eK- d a s ' an< ^ decrypts the message M B = c — K B . 

It is possible that a A ^ a§ but auth(rs; a A , b A ) — auth(rs; a§,b§) for some S £ S. However 
this probability is negligible. Thus the above protocol is reliable with high probability. Since 
A and B are strongly fc-connected in H, there is a pair (as,bs) such that (as,bs) reliably 
reaches B and the adversary cannot infer any information of as from its view. Thus the 
above protocol is (0, <5)-secure against a fc-active adversary if one chooses sufficiently large 
F. Q.E.D. □ 

The results in Sections |^ and ^ show that the condition in Theorem 6.4 is not necessary. 



7 Secure message transmission over neighbor networks 
7.1 Definitions 

A special case of the hypergraph is the neighbor networks. A neighbor network is a graph 
G(V,E). In a neighbor network, a node A € V is called a neighbor of another node B € V 
if there is an edge (A, B) £ E. In a neighbor network, we assume that any message sent by 
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a node A will be received identically by all its neighbors, whether or not A is faulty, and all 
parties outside of ^4's neighbor learn nothing about the content of the message. 

For a neighbor network G(V, E) and two nodes A, B in it, Franklin and Wright j7j, and, 
Wang and Desmedt (TtJ showed that if there are n multicast lines (that is, n paths with 
disjoint neighborhoods) between A and B and there are at most k malicious (Byzantine 
style) processors, then the condition n > k is necessary and sufficient for achieving efficient 
probabilistically reliable and perfect private communication. 

For each neighbor network G(V, E), there is a hypergraph Hg{V, Eh) which is equivalent 
to G(V,E) in functionality. Hc(V,Eh) is defined by letting Eh be the set of hyperedges 
(A, A*) where A eV and A* is the set of neighbors of A. 

Let A and B be two nodes in a neighbor network G(V, E). We have the following 
definitions: 

1. A and B are k-connected in G(V, E) if there are k node disjoint paths between A and 
B in G(V,E). 

2. A and B are weakly k-hyper- connected in G(V,E) if A and B are weakly fc-connected 
mH G (V,E h ). 

3. A and B are k- neighbor- connected in G(V,E) if for any set V% C V \ {A, B} with 

Vi | < k, the removal of neighbor(V\) and all incident edges from G(V, E) does not 
disconnect A and B, where 

neighbor(Vi) = V x U {A e V : thereexistsB 6 Vi(B, A) such that E E} \ {A, B}. 

4. A and B are weakly (n,k)- connected if there are n node disjoint paths pi,...,p n 
between A and B and, for any node set T C (V \ {A, £?}) with |T| < fc, there exists 
1 < i < n such that all nodes on pi have no neighbor in T. 

It is easy to check that the following relationships hold. 

weak (n, fc — l)-connectivity (n > k) => fc-neighbor-connectivity => weak 
fc-hyper-connectivity fc-connectivity 

In the following examples, we show that these implications are strict. 

Example 2 Let G(V,E) be the graph in Figure || where V — {A, B,C, D} and E = 
{(A, C), (C, B), (A, D), (D, B), (C, D)}. Then it is straightforward to check that G(V, E) 
is 2- connected but not weakly 2-hyper- connected. 




O B 



Figure 2: The graph G(V,E) in Example 
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Figure 3: The graph G(V,E) in Example | 

Example 3 Let G(V,E) be the graph in Figure ^ where V = {A, B,C, D, F} and E = 
{(A,C), (A, D), (C,B), (D, B), (C,F), (F, D)}. Then it is straightforward to check that A 
and B are weakly 2 -hyper- connected but not 2-neighbor-connected. 

Example 4 Let G(V, E) be the graph in Figure f| where V = {A, B, C, D, E, F, G, H} 
andE = {(A,C), (C,D), (D, E) (E,B), (A, F), (F, G), (G,H) (H, B), (C,H), (E, F)}. 
Then it is straightforward to check that A and B are 2-neighbor-connected but not weakly 
(2, \)-connected. 
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Figure 4: The graph G(V, E) in Example [| 

Example ^| shows that fc-connectivity does not necessarily imply weak /c-hyper-connectivity. 
Example ^| shows that weak /c-hyper-connectivity does not necessarily imply fc-neighbor- 
connectivity. Example ^ shows that fc-neighbor connectivity does not necessarily imply 
weak (n, k — l)-connectivity for some n > k. 

7.2 (0, 5)-Secure message transmission over neighbor networks 

Wang and Desmedt [[l7j have given a sufficient condition for achieving (0, i5)-security message 
transmission against a fc-active adversary over neighbor networks. In this section, we show 
that their condition is not necessary. 



Theorem 7.1 (Wang and Desmedt \lnj) If A and B are weakly (n,k)- connected for some 
k <n, then there is an efficient (0, S)-secure message transmission between A and B. 



The condition in Theorem 7.1 is not necessary. For example, the neighbor network G in 
Example || is not 2-neighbor-connected, thus not weakly (2, l)-connected. In the following 
we present a (0, 5)-secure message transmission protocol against a 1-active adversary from 
A to B for the neighbor network of Example || . 

Message transmission protocol for neighbor network G in Example |3|. 
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Step 1 A chooses two random pairs (r A , r A ) F 2 and (r A , r A ) F 2 . A sends (r A , r A ) 
to C and [r A ,r A ) to D. 

Step 2 _B chooses two random pairs (rf ,rf) F 2 and (r^jrj 3 ) F 2 . _B sends 
(rf ,rf ) to C and (rf ,rf ) to L>. 

Step 3 C chooses a random pair (01,61) F 2 . C sends (ai + r^,6i + r A ) to A and 
(ax + rf ,bi + rf ) to B. 

Step 4 D chooses a random pair (02,62) &r F 2 . Z? sends (02 + r^, 62 + ^) to A and 
(a 2 + rf ,6 2 +rf ) to B. 

Step 5 From the messages received from C and D, A computes (a A , b A ) and (a A , fcf)- 

Step 6 From the messages received from C and D, B computes (af , bf) and (a^, frf)- 

Step 7 £? chooses a random r G_r F, computes si = auth(r; af, bf ) and S2 = auth(r; > &2 ) 
Using the probabilistically reliable message transmission protocol of Franklin and 
Wright 0, £? transmits (r, Si,S2) to A. 

Step 8 Let (r" 4 , , s^) be the message received by A in the last step, A computes the 
key index set ifjndex = {* : s t — auth(r j4 ; af-, bf)}. A also computes the shared 



secret K A = J2i 



Step 9 Using the probabilistically reliable message transmission protocol of Franklin and 
Wright j7|, A transmits (-Kmdex, M A +K A ) to B, where M A is the secret message. 

Step 10 Let {K^ dc ^, c B ) be the message that B received in the last step. B computes the 
shared secret K B — J2 ieK B af , and decrypts the message M B = c B — K B . 

It is straightforward to check that the above protocol is an efficient (0, <5)-secure message 
transmission protocol from A to B against a 1-active adversary. 

Example [y shows that for a general hypergraph, the existence of a reliable message trans- 
mission protocol does not imply the existence of a private message transmission protocol. We 
show that this is true for probabilistic reliability and perfect privacy in neighbor networks 
also. 

Example 5 Let G(V, E) be the neighbor network in Figure where V = {A, B, C, D, E, F, 
G} and E = {(A,C),(C,D),(D,B),(A,E),(E,F),{F,B),{G,C),{G,D),{G,E),(G,F)}. 
Then there is a probabilistic reliable message transmission protocol from A to B against a 
1-active adversary in G. But there is no private message transmission from A to B against 
a 1-passive (or 1-active) adversary in G. 
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Proof. It is straightforward to check that G(V, E) is not weakly 2-hyper-connected. 
Indeed, in the hypergraph Hq(V,E}A of G(V,E), the removal of node G and the removal 
of the corresponding hyperedges will disconnect A and B completely. Thus Franklin and 
Yung's result in || shows that there is no private message transmission protocol against 
a 1-passive (or 1-active) adversary from A to B. It is also straightforward to check that 
Franklin and Wright's Q| reliable message transmission protocol against a 1-active adversary 
works for the two paths (A, C, D, B) and (A, E, F, B). Q.E.D. □ 

Though weak fc-hyper-connectivity is a necessary condition for achieving probabilistically 
reliable and perfectly private message transmission against a (k — l)-active adversary, we do 
not know whether this condition is sufficient. We conjecture that there is no probabilistically 
reliable and perfectly private message transmission protocol against a 1-active adversary for 
the weakly 2-hyper-connected neighbor network G(V,E) in Figure where V — {A, B, 
C, D, E, F, G, H} and E = {(A,C), (C,D), (D, E), (E, B), (A, F), (F, G), (G, H), 
(H,B), (D,G)}. Note that in order to prove or refute our conjecture, it is sufficient to 
show whether there is a probabilistically reliable message transmission protocol against a 1- 
active adversary for the neighbor network. For this specific neighbor network, the trick in our 
previous protocol could be used to convert any probabilistically reliable message transmission 
protocol to a probabilistically reliable and perfectly private message transmission protocol 
against a 1-active adversary. 




Figure 6: The graph G(V, E) 
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